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3  Report  of  Inventions 

4  Scientific  Progress  and  Accomplishments 

Significant  scientific  progress  has  been  made  during  the  fourth  and  final  year  of  grant  DAAD190110003 
in  the  following  areas:  We  have  continued  the  development  of  PIOAL,  the  process-algebraic  specifi¬ 
cation  language  for  Probabilistic  I/O  Automata  (PIOA)  that  forms  the  basis  for  our  tool  integration 
effort,  namely,  the  integration  of  the  PIOATool  and  the  Concurrency  Workbench.  We  have  also 
developed  a  Monte  Carlo  model  checking  algorithm,  based  on  the  use  of  random  sampling  of  lassos 
in  Biichi  automata;  a  Hybrid- automaton  model  of  cardiac  cells  that  efficiently  captures  many  essen¬ 
tial  aspects  of  the  cell’s  biological  behavior;  and  a  safety-liveness  semantics  for  UML  2.0  Sequence 
Diagrams.  We  have  moreover  pursued  the  development  of  a  mathematical  formalism  supporting 
the  combined  modeling  of  functional  and  performance  aspects  of  systems;  and  the  development  of 
a  mathematical  formalism  for  software  architecture  specification. 

4.1  Process- Algebraic  Language  for  PIOA 

PIOAL  is  a  process-algebraic  specification  language  based  on  PIOA.  We  presented  PIOAL  in  a 
CONCUR  03  paper  that  describes  the  new  language,  its  typing  rules,  and  its  operational  semantics. 
The  paper  also  presents  basic  nretatheorenrs  relating  the  typing  rules  and  operational  semantics,  and 
establishes  congruence  properties  with  respect  to  probabilistic  bisimulation  equivalence  and  PIOA 
behavior  equivalence.  Over  the  past  year,  we  implemented  a  stand-alone  parser  and  type-checker  for 
PIOAL.  In  addition,  we  implemented  an  algorithm  for  translating  specifications  expressed  in  this 
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language  directly  into  Linear  Decision  Diagrams,  the  matrix-based  representation  used  internally 
by  PIOATool. 

We  have  been  looking  for  axiomatizations  of  the  two  equivalences  mentioned  above  for  fragments 
of  the  language  and  have  succeeded  in  finding  an  axiomatization  in  the  case  of  probabilistic  bisimu¬ 
lation.  Moreover,  a  complete  axiomatization  for  PIOA  behavior  equivalence  is  nearly  finished;  this 
work  will  be  written  up  for  publication  before  the  end  of  the  calendar  year. 

4.2  Monte  Carlo  Model  Checking 

In  a  TACAS  2005  paper  with  Radu  Grosu,  we  describe  MC2,  what  we  believe  to  be  the  first  ran¬ 
domized,  Monte  Carlo  algorithm  for  temporal-logic  model  checking.  Given  a  specification  S  of  a 
finite-state  system,  an  LTL  formula  cp,  and  parameters  e  and  5,  MC2  takes  M  =  In  ( <5 )  /  ln(l  —  e)  ran¬ 
dom  samples  (random  walks  ending  in  a  cycle,  i.e  lassos )  from  the  Biichi  automaton  B  =  B$  x  B-,^ 
to  decide  if  L(B)  =  0.  Let  pz  be  the  expectation  of  an  accepting  lasso  in  B.  Should  a  sample  reveal 
an  accepting  lasso  l,  MC2  returns  false  with  l  as  a  witness.  Otherwise,  it  returns  true  and  reports 
that  the  probability  of  finding  an  accepting  lasso  through  further  sampling,  under  the  assumption 
that  pz  >  e,  is  less  than  5.  It  does  so  in  time  O(MD)  and  space  0(D),  where  D  is  B' s  recurrence 
diameter,  using  an  optimal  number  of  samples  M.  Our  experimental  results  demonstrate  that  MC2 
is  fast,  memory-efficient,  and  scales  extremely  well. 

We  are  also  in  the  process  of  applying  Monte  Carlo  techniques  to  the  model-checking  problem 
for  timed  automata.  Our  initial  results  indicate  that  the  performance  and  scalability  advantages  of 
the  Monte  Carlo  approach  carry  over  into  the  setting  of  real-time  systems. 

4.3  Efficient  Modeling  of  Excitable  Cells  Using  Hybrid  Automata 

This  effort  is  concerned  with  using  Hybrid  automata  (HA)  for  efficiently  modeling  complex  bio¬ 
logical  systems.  HA  combine  discrete  transition  graphs  with  continuous  dynamics.  Our  goal  is 
to  efficiently  capture  the  behavior  of  excitable  cells  previously  modeled  by  systems  of  nonlinear 
differential  equations.  In  particular,  we  derive  HA  models  from  the  Hodgkin-Huxley  model  of  the 
giant  squid  axon,  the  Luo-Rudy  dynamic  model  of  a  guinea  pig  ventricular  cell,  and  a  model  of  a 
neonatal  rat  ventricular  myocyte.  Our  much  simpler  HA  models  are  able  to  successfully  capture 
the  action-potential  morphology  of  the  different  cells,  as  well  as  reproduce  typical  excitable  cell 
characteristics,  such  as  refractoriness  (period  of  non-responsiveness  to  external  stimulation)  and 
restitution  (adaptation  to  pacing  rates).  To  model  electrical  wave  propagation  in  a  cell  network, 
the  single-cell  HA  models  are  linked  to  a  classical  2D  spatial  model.  The  resulting  simulation  frame¬ 
work  exhibits  significantly  improved  computational  efficiency  in  modeling  complex  wave  patterns, 
such  as  the  spiral  waves  underlying  pathological  conditions  in  the  heart.  A  description  of  this  work 
appears  in  a  CMSB  (Computational  Methods  for  Systems  Biology)  paper. 

4.4  Safety/Liveness  Semantics  fo  UML  2.0  Sequence  Diagrams 

We  provide  an  automata-theoretic  solution  to  one  of  the  main  open  questions  about  the  UML 
standard,  namely  how  to  assign  a  formal  semantics  to  a  set  of  sequence  diagrams  without  compro¬ 
mising  refinement?  Our  solution  relies  on  a  rather  obvious  idea,  but  to  our  knowledge  has  not  been 
used  before  in  this  context:  that  bad  and  good  sequence  diagrams  in  the  UML  standard  should 
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be  regarded  as  safety  and  liveness  properties,  respectively.  Proceeding  in  this  manner,  we  obtain 
a  semantics  that  essentially  complements  the  set  of  behaviors  associated  with  the  set  of  sequence 
diagrams,  thereby  allowing  us  to  use  the  standard  notion  of  refinement  as  language  inclusion.  We 
show  that  refinement  in  this  setting  is  compositional  with  respect  to  sequential  composition,  alter¬ 
native  composition,  parallel  composition,  and  star+  composition.  A  paper  on  this  work,  performed 
jointly  with  Radu  Grosu,  appeared  in  ACSD  2005. 

4.5  Architectural  System  Modeling 

We  also  continued  developing  the  executable  modeling  notations  developed  as  part  of  the  original 
CARA  research  effort.  In  one  line  of  work,  we  gave  a  thorough  algebraic  characterization  of 
hierarchical  state  machines  with  so-called  “boundary-crossing”  transitions.  Such  state  machines 
are  very  useful  in  practice,  as  evidenced  by  the  popularity  of  the  Statecharts  notation.  However, 
it  was  a  widely  held  believe  that,  like  goto  statements,  boundary-crossing  transitions  inherently 
“break”  system  structure  and  thus  cannot  be  accounted  for  in  a  compositional  manner.  We  showed 
this  not  to  be  the  case  by  developing  the  notion  of  boundary-crossing  transitions  as  “exception¬ 
raising”  . 

We  also  extended  the  Architectural  Interaction  Diagrams  (AIDs)  software-architecture  frame¬ 
work  to  incorporate  notions  of  security.  AIDs  permit  executable  system  models  to  be  assembled 
out  of  executable  components;  by  including  features  that  regulate  information  flow,  we  showed  how 
simulation-based  techniques  may  be  used  to  identify  and  repair  security  breaches. 


5  Technology  Transfer 

Cleaveland  and  Srnolka  are  co- founders,  along  with  Steve  Sims,  of  Reactive  Systems,  Inc.  (RSI), 
which  makes  advanced  design  tools  for  control-software  engineering.  RSI’s  main  product  is  the  Re- 
actis  tool  suite,  a  companion  product  to  The  MathWorks  Model-Based  design  tools.  Reactis  allows 
MathWorks  users  to  automatically  generate  thorough  yet  compact  test  suites  for  Simulink/Stateflow 
models.  It  also  allows  one  to  visualize  the  execution  of  models  on  generated  tests  with  a  highly 
sophisticated  visual  simulation  environment.  The  Company  is  a  member  of  The  MathWork’s  Con¬ 
nections  program,  and  currently  has  25  automotive  and  aerospace  customers  spread  across  seven 
countries.  Cleaveland  also  made  over  40  presentations  about  Reactis  to  different  customers  during 
the  year.  Part  of  the  technology  underpinning  Reactis  has  been  influenced  by  ARO-supported  re¬ 
search  of  Cleaveland  and  Srnolka.  To  learn  more  about  Reactive  Systems,  please  visit  the  company 
web  site  at  www.reactive-systems.com  or  contact  Cleaveland  or  Srnolka  directly. 

In  other  technology-transfer  efforts,  Scott  Srnolka  gave  a  presentation  on  Monte  Carlo  model 
checking  at  the  ARO-sponsored  2004  HCES  workshop  on  High-Confidence  Embedded  Systems. 
Cleaveland  gave  presentations  on  his  and  Smolka’s  experiences  in  starting  Reactis  at  the  2004 
Monterey  Workshop  in  Baden,  Austria,  and  he  delivered  and  invited  address  on  software  V&V  at 
the  MATLAB  EXPO,  the  premiere  model-based  software  development  meeting  in  Tokyo. 
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